It’s a free service operated by Google • It hosts lists of urls • malware • other unwanted software • phishing / social engineering • It’s used by Android, Gmail, Ads, Search, Chrome, Firefox, Safari, Opera
Checking “live” adds too much latency to page loads • Firefox gets new bad urls from Google every 30m • Before displaying a page to a user, check local db
False positives • Many urls could have the same 32-bit hash prefix • Get all the full hashes with the 32-bit prefix from the server • If page doesn’t match a full hash, it’s not on the list
Download protection • Download the file • Check the main url, referrer and redirect chain against local blocklist; block if match • (Windows) if signed, check signature against allow-list of good publishers • If file is not binary, allow • If binary, send metadata to application reputation server
Privacy • Browsers don't send all visited urls to Google • Safe Browsing data is never used anywhere else at Google • Firefox removes query string params from download check • Firefox stores Safe Browsing cookies in separate storage • Firefox adds a number of extra “noise” 32-bit hashes when requesting complete hashes